The electronic storage of sensitive user specific information by a multitude of institutions has brought about the need for methods that prevent identity theft as well as unauthorized access. Unauthorized access may result in irrecoverable monetary and economic losses. User specific information may be accessed using input devices (e.g., keyboards) that may be found on a plurality of electronic devices, such as computers.
A popular method used to limit access to user specific information is through the identity authentication process. For example, in the authentication process, a unique username may be associated with a specific password. Access to a specific account is only granted if the correct password is provided with the specific username.
However, the ever-rapid improvement in computing power has increased the vulnerability of user specific information protected by passwords. Currently, easily accessible dictionaries containing volumes of common alphanumeric combinations may be downloaded from the Internet, making brute force disruptive methods (e.g., “dictionary attacks”) possible. With further advancements, electronic devices with sufficient computing power to efficiently perform exhaustive search and match algorithms for all possible character combinations, based on the number of characters in the password field, may become readily available. Consequently, even strong passwords may become vulnerable.
To provide additional protection, some institutions have implemented account access fortification. Currently, account access fortification has been attempted through two general methods: biometric information and absolute keystroke time measurement identity authentication. The use of biometric information as a method of authentication involves measuring a person's physiological or behavioral features. Hence, biometric information may be collected through various methods such as fingerprints, facial feature recognition, DNA-based identification, and voice imprints. Since the usage of biometric information usually requires the installation of expensive information collection equipment at the user end, the use of biometric information as an authentication method has been limited.
Another method of account access fortification is through absolute keystroke time measurement identity authentication. This method does not require installation of specialized information collection equipment; however, the low accuracy rate has resulted in relatively few implementations.
To facilitate the discussion, FIG. 1 illustrates a flowchart of the absolute keystroke time measurement identity authentication method. At step 102, a new user logs onto the operating environment of an electronic device. At step 104, the new user is required to enter his username, password, first name and last name a plurality of times (e.g., eight times). At step 106, an algorithm is used to record the absolute time measurement of the new user's keystrokes. For example, the word “sam” involves the entry of three keystrokes—“s,” “a,” and “m”. From time zero (t0), the absolute time measurement for the letter “s” may be 0.4 second, the absolute time measurement for the letter “a” may be 0.8 second, and the absolute time measurement for the letter “m” may be 1.2 second.
At step 108, a plurality of time measurement data collected for each key press is subsequently used to calculate the mean and standard deviation values for each individual key. At step 110, the time measurement values for each key press that fall outside of a pre-established standard deviation value (e.g., three standard deviations) of the calculated time value for each key pressed are discarded. The mean and standard deviation values for the time measurement of each key press are then recalculated to establish acceptance criteria for future logon experience. At step 112, the user is accepted and is able to access the account.
For example, a user logs onto an account for the first time. The user provides a username of “sam,” a password of “cat,” a first name of “sam,” and a last name of “tall”. Assume that the user has to type each of these values eight times. Thus, for the username “sam” the user has to type each character eight times, so 24 absolute time measurement values are collected. The mean and standard deviation values are calculated from the time measurement values collected for each key press. Thus, the username “sam” will have mean and standard deviation values for each of the 3 characters. Once the mean and standard deviation values have been calculated, the absolute time measurement values for each key press are compared against the standard deviation values for that specific key press. The absolute time measurement values for each key press that are not within three standard deviation values are dropped and the remaining absolute time measurement values are used to recalculate the mean and standard deviation values to establish the acceptance criteria for future logon experience.
In future logon sessions, a registered user (step 114) logs onto an operating environment of an electronic device by typing in his username, password, first name and last name (step 116). The absolute time measurement values for the keystrokes entered for the aforementioned four variables are then obtained (step 118). At step 120, if more than a pre-established percentage (e.g., 60%) of the absolute time measurement values fall within the acceptance criteria established for each keystroke during the first logon session, the registered user is granted access (step 112) to the account information. However, if the absolute time measurement values are not within the acceptance criteria, then the user is denied access to the account (step 122).
There are several disadvantages associated with the absolute keystroke time measurement identity authentication method. Since the method relies on absolute keystroke time measurement values, users may be erroneously rejected if their typing speeds vary from one logon session to the next. Also, the timing analysis of this authentication method lacks sufficient details because it does not account for keystroke overlap (e.g., the time interval between the current key and the next key being pressed).
In other instances, artificial intelligence has been demonstrated to improve the accuracy of the absolute keystroke time measurement identity authentication method through the use of fuzzy logic, artificial neural networks, and genetic algorithms. However, a disadvantage with artificial intelligence is that the solution requires significant “training” time to allow the “intelligence” to recognize a user's typing pattern in order to predict future typing patterns. Furthermore, adding or removing a user account generally requires the “intelligence” to be re-trained, thus, rendering the process cumbersome to implement and execute.